Account Harvesting: The Fail Trifecta of Web Application Security

At our testing practice here at Fortify on Demand we test a lot of web applications. We get them both as standalone web apps, and we get them as backends to mobile applications. During the course of this work we (too) often come across a serious issue that we refer to as Account Harvesting.